'Italian Job' trojan could lead to future localised attacks

By Frank Washkuch on Jun 25, 2007 7:00AM

Security researchers said today that the recent MPACK-aided trojan attack is a sign that future mass-attacks may become increasingly localised.

The MPACK delivery device for malware was used to propagate trojan attacks this month, mostly affecting users in Italy.

Dave Cole, director of Symantec Security Response, told SCMagazine.com that MPACK-related attacks are unique both for their use of existing websites and regional nature.

"If [attackers] are using an existing site where there is already traffic, people expect that the site is benign and they’re not expecting(an attack)," he said.

"The other big ticket thing is that historically, threats have been global in nature…if you look at this attack, it was really limited to Italy. A lot of these more deceptive attacks have pushed the threat to where it’s really more regional."

Ken Dunham, director of the rapid response team at VeriSign iDefense, said on Wednesday that a Russian underground hacker named $ash was selling the MPACK device for between US$500 and US$1,000.

The hacking tool exploits a number of Windows flaws and claims a 50 per cent success rate in silent attacks launched against web browsers, according to Dunham.

"The Russian Business Network (RBN) is one of the most notorious criminal groups on the internet today. A recent MPACK attack installed Torpig malicious code hosted on an RBN server.

RBN is closely tied to multiple attacks including Step57.info cPanel exploitation, VML, phishing, child pornography, Torpig, Rustock and many other criminal attacks to date," he said. "Nothing good ever comes out of the Russian Business Network net block."

Researchers said the attack infected nearly 10,000 websites by Monday.

Commonly referred to as the "Italian Job" trojan due to the majority of infected pages being hosted in Italy, the malware downloads a keylogger designed to steal banking and confidential information through a wide range of web-infection downloads.

Randy Abrams, director of technical education at ESET told SCMagazine.com that users and administrators must keep their systems patched to prevent similar attacks.

"It’s like if you don’t have a lock on your door and you catch a burglar in your house and then you don’t do anything to fix the door.

If users keep their [operating systems] and their applications patched, they’re not going to be impacted by MPACK," he said.

Got a news tip for our journalists? Share it with us anonymously here.